Convert Figma logo to code with AI

de4dot logode4dot

.NET deobfuscator and unpacker.

7,187
2,760
7,187
9
View on GitHub

Top Related Projects

dnSpy's avatar

dnSpy

27,833

.NET debugger and assembly editor

0xd4d's avatar

dnlib

2,301

Reads and writes .NET assemblies and modules

mkaring's avatar

ConfuserEx

2,600

An open-source, free protector for .NET applications

Perfare's avatar

Il2CppDumper

7,921

Unity il2cpp reverse engineer

Quick Overview

de4dot is an open-source .NET deobfuscator and unpacker. It supports a wide variety of obfuscators and can help reverse engineers analyze and understand obfuscated .NET assemblies. The tool is designed to automatically remove obfuscation from .NET executables and DLLs, making them easier to read and analyze.

Pros

  • Supports a wide range of obfuscators, including popular ones like Dotfuscator, SmartAssembly, and ConfuserEx
  • Actively maintained and regularly updated to handle new obfuscation techniques
  • Command-line interface allows for easy integration into automated workflows
  • Open-source nature allows for community contributions and improvements

Cons

  • May not be able to fully deobfuscate heavily protected assemblies
  • Requires some technical knowledge to use effectively
  • Can potentially produce false positives or incomplete deobfuscation results
  • Legal and ethical considerations when using on proprietary software

Getting Started

To use de4dot, follow these steps:

  1. Download the latest release from the GitHub repository.
  2. Extract the files to a directory of your choice.
  3. Open a command prompt and navigate to the directory containing de4dot.
  4. Run the following command to deobfuscate a file:
de4dot.exe path\to\obfuscated\file.exe

For more advanced usage, you can specify additional options:

de4dot.exe -r path\to\directory -ro path\to\output\directory

This command will recursively deobfuscate all files in the specified directory and save the output to a separate directory.

For a full list of options and supported obfuscators, run:

de4dot.exe --help

Note: Always ensure you have the legal right to deobfuscate and analyze the target software before using de4dot.

Competitor Comparisons

dnSpy logo

dnSpy

27,833

.NET debugger and assembly editor

Pros of dnSpy

  • More comprehensive .NET debugging and reverse engineering tool
  • Includes a powerful decompiler with editing capabilities
  • Offers a user-friendly GUI for easier navigation and analysis

Cons of dnSpy

  • Larger file size and more complex setup compared to de4dot
  • May be overkill for simple deobfuscation tasks
  • Less focused on specific obfuscation removal techniques

Code Comparison

de4dot (command-line usage):

de4dot.exe -r obfuscated.exe

dnSpy (typical workflow):

// Open the assembly in dnSpy
// Navigate to the desired method
// Right-click and select "Edit Method (C#)"
// Modify the decompiled code
// Compile and save changes

Summary

de4dot is a specialized tool for .NET deobfuscation, while dnSpy is a more comprehensive debugger and decompiler. de4dot excels at removing specific obfuscations quickly, whereas dnSpy offers a broader range of features for in-depth analysis and modification of .NET assemblies. Choose de4dot for focused deobfuscation tasks and dnSpy for more complex reverse engineering and debugging scenarios.

0xd4d logo

dnlib

2,301

Reads and writes .NET assemblies and modules

Pros of dnlib

  • More focused library for reading, writing, and analyzing .NET assemblies
  • Actively maintained with regular updates and contributions
  • Provides a comprehensive API for manipulating .NET metadata

Cons of dnlib

  • Steeper learning curve for beginners compared to de4dot
  • Requires more manual implementation for specific deobfuscation tasks
  • Less out-of-the-box functionality for immediate deobfuscation

Code Comparison

dnlib:

using dnlib.DotNet;
ModuleDefMD module = ModuleDefMD.Load("path/to/assembly.dll");
foreach (TypeDef type in module.Types) {
    Console.WriteLine($"Type: {type.FullName}");
}

de4dot:

using de4dot.code;
var deobfuscator = new DeobfuscatorInfo(new ObfuscatorInfo());
deobfuscator.DeobfuscateBegin();
deobfuscator.Deobfuscate();
deobfuscator.DeobfuscateEnd();

While dnlib provides a more granular approach to working with .NET assemblies, de4dot offers a higher-level interface specifically designed for deobfuscation tasks. dnlib is better suited for developers who need fine-grained control over assembly manipulation, while de4dot is more appropriate for users seeking a ready-to-use deobfuscation solution.

mkaring logo

ConfuserEx

2,600

An open-source, free protector for .NET applications

Pros of ConfuserEx

  • Active development with more recent updates
  • Offers a wider range of obfuscation techniques
  • Includes a graphical user interface for easier configuration

Cons of ConfuserEx

  • May introduce overhead and potentially impact performance
  • Can make debugging more challenging
  • Some protection methods might be detected by antivirus software

Code Comparison

ConfuserEx (obfuscation):

[Obfuscation(Feature = "rename", Exclude = false)]
public class MyClass
{
    public void MyMethod() { /* ... */ }
}

de4dot (deobfuscation):

public static int DeobfuscateAndSave(IList<IObfuscatedFile> files)
{
    int numDeobfuscated = 0;
    foreach (var file in files)
    {
        // Deobfuscation logic here
    }
}

Summary

ConfuserEx is an obfuscator for .NET assemblies, while de4dot is a deobfuscator. ConfuserEx aims to protect code from reverse engineering, offering various obfuscation techniques. On the other hand, de4dot attempts to undo obfuscation, making it easier to analyze and understand obfuscated code. While ConfuserEx provides more active development and a user-friendly interface, it may impact performance and complicate debugging. de4dot focuses solely on deobfuscation, making it a simpler tool for its specific purpose.

Perfare logo

Il2CppDumper

7,921

Unity il2cpp reverse engineer

Pros of Il2CppDumper

  • Specialized for Unity IL2CPP games, providing more accurate results for these specific targets
  • Offers additional features like script generation and metadata parsing
  • Actively maintained with frequent updates

Cons of Il2CppDumper

  • Limited to IL2CPP-based applications, less versatile than de4dot
  • May require more setup and configuration for optimal results
  • Less comprehensive documentation compared to de4dot

Code Comparison

Il2CppDumper:

public static Il2CppDumper LoadFromFile(string fileName, bool isMetadata = false)
{
    using (var stream = new FileStream(fileName, FileMode.Open, FileAccess.Read))
    {
        return new Il2CppDumper(stream, isMetadata);
    }
}

de4dot:

public static DeobfuscatorInfo Create()
{
    return new DeobfuscatorInfo(
        "de4dot",
        "de4dot deobfuscator",
        "0.1.0.0",
        new Deobfuscator()
    );
}

Both projects serve different purposes within the realm of reverse engineering. Il2CppDumper is tailored for Unity IL2CPP games, offering specialized features for this niche. In contrast, de4dot is a more general-purpose .NET deobfuscator with broader application. The code snippets highlight their distinct approaches, with Il2CppDumper focusing on file loading and parsing, while de4dot emphasizes deobfuscator creation and configuration.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Description

de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren't (usually) part of the obfuscated assembly.

It uses dnlib to read and write assemblies so make sure you get it or it won't compile.

Binaries

Get binaries from the build server .

It's FREE but there's NO SUPPORT

There's no support. Don't email me if you can't use it or if it fails to deobfuscate a file obfuscated with an updated obfuscator.

Instead, try to update de4dot yourself. It's a lot easier than you think. If you can't, search the Internet and you should find a couple of forums where you can ask your question.

Features

Here's a pseudo random list of the things it will do depending on what obfuscator was used to obfuscate an assembly:

  • Inline methods. Some obfuscators move small parts of a method to another static method and calls it.
  • Decrypt strings statically or dynamically
  • Decrypt other constants. Some obfuscators can also encrypt other constants, such as all integers, all doubles, etc.
  • Decrypt methods statically or dynamically
  • Remove proxy methods. Many obfuscators replace most/all call instructions with a call to a delegate. This delegate in turn calls the real method.
  • Rename symbols. Even though most symbols can't be restored, it will rename them to human readable strings. Sometimes, some of the original names can be restored, though.
  • Devirtualize virtualized code
  • Decrypt resources. Many obfuscators have an option to encrypt .NET resources.
  • Decrypt embedded files. Many obfuscators have an option to embed and possibly encrypt/compress other assemblies.
  • Remove tamper detection code
  • Remove anti-debug code
  • Control flow deobfuscation. Many obfuscators modify the IL code so it looks like spaghetti code making it very difficult to understand the code.
  • Restore class fields. Some obfuscators can move fields from one class to some other obfuscator created class.
  • Convert a PE exe to a .NET exe. Some obfuscators wrap a .NET assembly inside a Win32 PE so a .NET decompiler can't read the file.
  • Removes most/all junk classes added by the obfuscator.
  • Fixes some peverify errors. Many of the obfuscators are buggy and create unverifiable code by mistake.
  • Restore the types of method parameters and fields

Supported obfuscators/packers

  • Agile.NET (aka CliSecure)
  • Babel.NET
  • CodeFort
  • CodeVeil
  • CodeWall
  • CryptoObfuscator
  • DeepSea Obfuscator
  • Dotfuscator
  • .NET Reactor
  • Eazfuscator.NET
  • Goliath.NET
  • ILProtector
  • MaxtoCode
  • MPRESS
  • Rummage
  • Skater.NET
  • SmartAssembly
  • Spices.Net
  • Xenocode

Some of the above obfuscators are rarely used (eg. Goliath.NET), so they have had much less testing. Help me out by reporting bugs or problems you find.

Warning

Sometimes the obfuscated assembly and all its dependencies are loaded into memory for execution. Use a safe sandbox environment if you suspect the assembly or assemblies to be malware.

Even if the current version of de4dot doesn't load a certain assembly into memory for execution, a future version might.

How to use de4dot

N00b users

Drag and drop the file(s) onto de4dot.exe and wait a few seconds.

Deobfuscate more than one file at a time

When more than one assembly has been obfuscated, it's very likely that you must deobfuscate them all at the same time unless you disable symbol renaming. The reason is that if assembly A has a reference to class C in assembly B, and you rename symbols only in assembly B, then class C could be renamed to eg. Class0 but the reference in assembly A still references a class called C in assembly B. If you deobfuscate both assemblies at the same time, all references will also be updated.

Find all obfuscated files and deobfuscate them

The following command line will deobfuscate all assemblies that have been obfuscated by a supported obfuscator and save the assemblies to c:\output

de4dot -r c:\input -ru -ro c:\output

-r means recursive search. -ru means it should ignore unknown files. -ro means it should place the output files in the following directory. Typically, you'd first copy c:\input to c:\output, and then run the command. That way all the files will be in c:\output, even non-assemblies and non-processed assemblies. When de4dot is finished, you'd just double click the main assembly in c:\output and it should hopefully start.

Detect obfuscator

Use the -d option to detect the obfuscator without deobfuscating any assembly.

Find all .NET assemblies and detect obfuscator. If it's an unsupported obfuscator or if it's not obfuscated, it will print "Unknown obfuscator".

de4dot -d -r c:\input

Same as above except that it will only show which files have been obfuscated by a supported obfuscator.

de4dot -d -r c:\input -ru

Detect obfuscator

de4dot -d file1.dll file2.dll file3.dll

Preserving metadata tokens

Sometimes in rare cases, you'd want to preserve the metadata tokens. Use --preserve-tokens or --preserve-table. Also consider using --keep-types since it won't remove any types and methods added by the obfuscator. Another useful option is --dont-create-params. If used, the renamer won't create Param rows for method parameters that don't have a Param row. That way the ParamPtr table won't be added to your assemblies. Peverify has a bug and doesn't support it (you'll see lots of "errors").

The #Strings, #US and #Blob heaps can also be preserved by using --preserve-strings, --preserve-us, and --preserve-blob respectively. Of these three, --preserve-us is the most useful one since ldstr instruction and module.ResolveString() directly reference the #US heap.

--preserve-sig-data should be used if the obfuscator adds extra data at the end of signatures that it uses for its own purpose, eg. as decryption keys. Confuser is one obfuscator that does this.

--preserve-tokens preserves all important tokens but will also enable --preserve-us, --preserve-blob and --preserve-sig-data.

If it's detected as an unknown (unsupported) obfuscator (or if you force it with -p un), all tokens are preserved, including the #US heap and any extra data at the end of signatures. Also, no obfuscator types, fields or methods are removed.

Preserve all important tokens, #US, #Blob, extra sig data.

de4dot --preserve-tokens file1.dll

Preserve all important tokens, #US, #Blob, extra sig data and don't remove types/fields added by the obfuscator

de4dot --keep-types --preserve-tokens file1.dll

Preserve all important tokens, #US, #Blob, extra sig data and don't create extra Param rows to prevent the ParamPtr table from being created.

de4dot --dont-create-params --preserve-tokens file1.dll

Preserve all important tokens except the Param tokens.

de4dot --preserve-table all,-pd file1.dll

Dynamically decrypting strings

Although de4dot supports a lot of obfuscators, there's still some it doesn't support. To decrypt strings, you'll first need to figure out which method or methods decrypt strings. To get the method token of these string decrypters, you can use ILDASM with the 'show metadata tokens' option enabled. A method token is a 32-bit number and begins with 06, eg. 06012345.

This command will load assembly file1.dll into memory by calling Assembly.Load(). When it detects calls to the two string decrypters (06012345 and 060ABCDE), it will call them by creating a dynamic method, and save the result (the decrypted string). The call to the string decrypter will be removed and the decrypted string will be in its place.

de4dot file1.dll --strtyp delegate --strtok 06012345 --strtok 060ABCDE

Since the assembly is loaded and executed, make sure you run this in a sandbox if you suspect the file to be malware.

Forcing detection of a certain obfuscator

de4dot isn't perfect. If it fails to detect an obfuscator, you can use the -p option to force it to assume it's been obfuscated by it.

Force SmartAssembly

de4dot file1.dll -p sa

Force unsupported obfuscator

de4dot file1.dll -p un

For other obfuscator types, see the help screen.

Disabling symbol renaming

Renaming symbols isn't as easy as renaming A to B when reflection is involved. de4dot currently doesn't support renaming XAML so if you suspect that it uses WPF (or if it's a Silverlight app) you should disable renaming if the assembly fails to run.

de4dot --dont-rename file1.dll file2.dll

--keep-names can also be used to tell de4dot not to rename certain symbols, eg. "don't rename fields".

Rename everything that should be renamed except properties, events and methods.

de4dot --keep-names pem file1.dll

Using a different rename regex

The default regexes should be enough, except possibly the one that is used when an unsupported obfuscator is detected. To see all default regexes, start de4dot without any arguments and it will list all options and all default values.

Eg., currently the following is the default regex used when Dotfuscator is detected

!^[a-z][a-z0-9]{0,2}$&!^A_[0-9]+$&^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$

As you can see, it's not just one regex, it's more than one. Each one is separated by & and each regex can be negated by using ! in front of it. To show it more clearly, these regexes are used:

(negated) ^[a-z][a-z0-9]{0,2}$
(negated) ^A_[0-9]+$
^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$

To change the regex(es), you must know the short type name of the obfuscator (see help screen). Eg. it's sa if it's SmartAssembly, and un if it's an unsupported/unknown obfuscator. The option to use is --TYPE-name (eg. --sa-name for SmartAssembly and --un-name for unknown/unsupported obfuscators):

de4dot --un-name "^[a-zA-Z]\w*$" file1.dll

Other options

Start de4dot without any arguments and it will show all options.